CLI Reference

Installation

# macOS
brew install sirrlock/tap/sirr

# Windows
scoop bucket add sirrlock https://github.com/sirrlock/scoop-bucket
scoop install sirr

# Or download from GitHub Releases
# https://github.com/sirrlock/sirr/releases

Environment Variables

push

Public dead drop — push a value with no key. Returns a shareable URL with a server-generated 256-bit hex ID.

sirr push "postgres://..." [--ttl <duration>] [--reads <n>] [--no-delete]
sirr push .env [--ttl <duration>]          # push entire .env file

• --ttl — Time to live. Format: 30s, 5m, 2h, 7d, 30d
• --reads — Maximum number of reads before the secret is burned
• --no-delete — Secret is sealed when reads are exhausted but stays in the database. Can be updated via PATCH /secrets/:key and unsealed

set

Org named secret — store a key-value pair scoped to an organization. Requires --org. Rejects duplicate keys with 409 Conflict.

sirr set DB_URL="postgres://..." --org myteam [--ttl <duration>] [--reads <n>] [--no-delete]

get

Retrieve a secret value by ID (public) or key (org). Increments the read counter. Burns or seals the secret if the read limit is reached.

sirr get <id>              # public dead-drop by ID
sirr get DB_URL --org myteam  # org secret by key

pull

Pull all secrets into a .env file on another machine.

sirr pull .env

run

Inject all secrets as environment variables and execute a command.

sirr run -- node app.js

list

List all active secrets. Metadata only — values are never shown.

sirr list

delete

Burn a secret immediately, regardless of TTL or read count.

sirr delete KEY

prune

Delete all expired secrets immediately.

sirr prune

audit

Query the audit log. Filter by key for per-secret tracing.

sirr audit [--key <key>] [--since <duration>] [--action <action>] [--limit <n>]